Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1625
Views
0
Helpful
4
Replies

Endpoints with the Wrong switch IP and Port ID in Live Session in ISE 2.3 (Patch 2)

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

‎03-09-2018 12:36 PM - edited ‎02-21-2020 10:48 AM

Hi Everyone

I'm facing weird behaviour in Cisco ISE 2.3 Patch 2, I can see the endpoint in the Live session with the Wrong Switch IP and Port ID and the same is true under Context Visibility.

What is even weird is that the interface (Port) ID of the wrong switch (NAD) is the uplink trunk to the correct switch where the endpoint is actually connected.

The Correct Switch is 3650 running 3.6.6E while the wrong switch is 3560V2 running 15.0(2)SE10a

In the Live logs and also under the report --> Radius Authentication This Endpoint MAC was only seen coming from the correct Switch IP and Port ID and actually it was never connected to the wrong switch ever (Both are access switches).

But under the report --> Radius Accounting i can see the wrong switch is sending Radius Interim-Update about the same Endpoint.

 

Under Both switches this command is enabled to keep session alive between Switches and Cisco ISE

aaa accounting update periodic 60

 

This issue never happened when this customer was running Cisco ISE 1.4 Patch 11 but at that time this Radius accounting command was not applied in switches.

 

Any thought please?

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎03-09-2018 01:19 PM

Hi,

Do you have any other aaa accounting commands configured on the switches?

 

E.g - aaa accounting dot1x default start-stop group .....

0 Helpful

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1
In response to Rob Ingram

‎03-09-2018 03:07 PM

Hi RJI
Definitely I do have this command, This deployment is running for 5 Years now (Since Cisco ISE 1.2).
Here are the most relevant Radius command in all access switches:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 60
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute nas-port format c
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server vsa send authentication
radius-server vsa send accounting
radius-server dead-criteria time 30 tries 3
radius-server timeout 10
radius-server host <PSN1> auth-port 1812 acct-port 1813 test username NAC-TEST idle-time 1 key XXXXX
radius-server host <PSN2> auth-port 1812 acct-port 1813 test username NAC-TEST idle-time 1 key XXXXX
!
ip radius source-interface VlanX
!
aaa server radius dynamic-author
client <PSN1> server-key XXXXX
client <PSN2> server-key XXXXX
auth-type any
!
0 Helpful

evgeny1
Level 1
Level 1
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎06-13-2019 09:38 PM

Hi. Have you found solution of this problem? I have the same problem.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to evgeny1

‎06-17-2019 11:52 AM

I would suggest you to focus on the switch side. For example, remove the accounting command(s) on the uplink switch(es) if applicable.

0 Helpful
Customers Also Viewed These Support Documents